Welcome to the Performance Driven Academy! We will begin the - - PowerPoint PPT Presentation

Welcome to the Performance Driven Academy! We will begin the webinar shortly.

If you haven’t already done so, please complete the End Semester 1/Midpoint Survey (link in chat box). Everyone should complete this individually. If you viewed the previous webinar, also take the 3 question Webinar Feedback Survey. Questions? Email us at pda@ccsi.org

Performance Driven Academy

SESSION 7: ASSESSING CORPORATE COMPLIANCE, HIPAA PRIVACY AND SECURITY

Bar graph

Brought to you by the Managed Care Technical Assistance Center

Speaking: Briannon O’Connor, PhD

Associate Director CCSI’s Center for Collaboration in Community Health

Reminders

• Links to the End of Semester 1/Midpoint evaluation were sent
• ut
• Takes about 10 minutes
• You’ll receive a report summarizing results
• Each individual should complete it
• Webinars are recorded and you should have received materials

ahead of this webinar

• Chat in questions/comments to all panelists at any time
• Contact us at pda@ccsi.org

Elements of a Performance Driven Organization

Developed by CCSI’s Center for Collaboration in Community Health

Elements of a Performance Driven Organization

Developed by CCSI’s Center for Collaboration in Community Health

• 1. RCM &

Financial Best Practices

• 2. Corporate

compliance, security, &privacy

• 3. Contracting

& Negotiation Part 2: Leadership Practices to Support Change

• 4. In-person

sessions

Assessing Corporate Compliance, HIPAA Privacy and Security

June Crawford – Principal, Compliance Solutions, The Bonadio Group

Background of Today’s Speaker

June Crawford, RN, BSOM, CHC, CHPC, RAC-CT

Principal, The Bonadio Group; jcrawford@bonadio.com

• Over 30 years experience in healthcare and human service settings
• Healthcare Consultant for 16 years; certified in Healthcare Compliance and

Healthcare Privacy Compliance

• Former Compliance Officer and HIPAA Privacy Officer
• Experienced in risk assessments, policy development and process

implementation

Learning Objectives

• Identify the elements of an effective Corporate Compliance Program
• Explore methods to evaluate the effectiveness of your Corporate Compliance

Program

• Learn how to incorporate HIPAA Risk Assessment into your Corporate

Compliance Program

• Learn how to incorporate results into an Annual Compliance Work Plan

HIPAA Risk Assessment

• HIPAA Security Rule: All e-PHI created, received, maintained or transmitted by

an organization is subject to the Security Rule.

• A risk analysis is a requirement (§ 164.308(a)(1)(ii)(A) ). “Conduct an accurate

and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the organization.

• HHS Office of Civil Rights: “Conducting a risk analysis is the first step in

identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.”

• “A risk analysis is foundational: The Rule requires entities to evaluate risks and

vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats

• r hazards to the security or integrity of e-PHI.”

HIPAA Risk Assessment

• OCR Guidance: “The risk analysis process should be ongoing. In order for an

entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)”

• “The Security Rule does not specify how frequently to perform risk analysis as

part of a comprehensive risk management process. The frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment.”

HIPAA Risk Assessment

HIPAA Privacy Assessment should address the following:

• Privacy & Confidentiality
• Notice of Privacy Practices
• Policies and Procedures
• Marketing/Fundraising/Sale of PHI
• Minimum necessary Rule
• Decedents
• Research Authorizations
• Disclosures
• Workforce/Employee Training
• Access to PHI
• HIPAACompliance in Front and Back Office, and by Providers
• Business Associate contracting activities and BA Agreements in use

HIPAA Security Risk Assessment

Resources:

U.S. Department of Health and Human Services (HHS) and The Office of the National Coordinator for Health Information Technology (ONC) developed a tool and guidance:

• Security Risk Assessment (SRA) Tool available at

https://www.healthit.gov/topic/privacy-security/security-risk-assessment-tool

Corporate Compliance 101

On an organizational level:

• Long term commitment to conduct business in ways that promote doing the

right things

• Continually monitoring that the right things are being done
• Responding to changes and problems that are identified along the way

Corporate Compliance

• 1997: Clinical laboratories have model compliance plans in place
• 1998: Hospitals, Home Health Agencies, Third Party Billers follow suit
• 1999: Durable Medical Equipment, Hospice, and Skilled Nursing Facilities get
• n board
• 1996: HIPAA
• 2005-06: Deficit Reduction Act
• 2009- NY Social Service Law 363-d- OMIG
• 2013: Affordable Care Act – Nursing Homes

History of Corporate Compliance

Compliance Program Applicability

Every required provider shall adopt and implement an effective compliance program…Required providers’ compliance programs shall be applicable to:

• Billings
• Payments
• Medical necessity and quality of care
• Governance
• Mandatory reporting
• Credentialing
• Other risk areas that are or should with due diligence be identified by the

provider”

18 NYCRR Part 521

• Written Policies and Procedures / Code of Conduct
• Compliance Program Oversight
• Training and Education
• Effective, Confidential Communications
• Enforcement of Compliance Standards
• Auditing and Monitoring
• Responding to Offenses and Developing a Corrective Action Plan
• Policy of Non-retaliation and Non-intimidation

Eight Elements of a Compliance Program

• Issued October 2016; available on OMIG website: www.omig.ny.gov
• Provides detailed guidance in each of eight required elements
• OMIG Compliance Program Self-Assessment Form; tool available on OMIG

website: www.omig.ny.gov

• Allows for self-evaluation in each of eight required elements
• Evaluator records specific citations to policies, documents

OMIG Compliance Program Guidance

Best Practices

• Publication of code of conduct and/or Compliance Plan document on the

agency’s intranet and/or web site.

• Compliance Plan document outlines the benefits of a Corporate Compliance

Program as a way to obtain buy-in.

• Code of conduct is reviewed annually with employees, contractors and

governing body as part of ongoing compliance education.

#1 Policies and Procedures

Best Practices

• The Compliance Officer reports directly to the governing board, with dotted line

responsibility to a member of senior management.

• The CEO receives regular reports from the Compliance Officer if the

Compliance Officer does not report directly to the CEO.

• Compliance Committee membership includes governing body.
• Privacy Officer and Security Officer participate in Committee meetings.
• Compliance Committee meets monthly, bi-monthly.

#2 Compliance Program Oversight

Best Practices

• Use of an electronic training and education system that tracks mandatory

compliance education of employees; notifies of due dates.

• The compliance training materials are tailored to the needs of all levels and the

educational backgrounds of all employees.

• The compliance manual/code of conduct is distributed upon hire and annually.
• Regular compliance-related information/education – newsletters; e-blasts,

Compliance & Ethics week.

#3 Education

Best Practices

• The compliance program operates in an environment of transparency

throughout all levels of the organization.

• Clients/service recipients receive information on how to identify Medicaid fraud

and how any concerns can be reported to management.

• Provider uses posters/flyers about the Compliance Program and the hotline

that uses pictures as well as text to communicate the expectation that if you see or hear anything, you should report it.

#4 Effective, Confidential Communication

Best Practices

• Employee performance evaluations incorporate compliance as one indicator of

performance, as well as an employee’s adherence to applicable laws, regulations, and policies.

• Discipline policies, employee handbook references Compliance Program.

#5 Enforcement

Best Practices

• Use of a comprehensive self-assessment tool to plan and develop an annual

Compliance Work Plan.

• Internal monitoring and auditing systems are used throughout the organization.
• A pre-claim review process is used prior to submission of claims.
• A Compliance Program assessment is undertaken prior to the December

certification period to identify potential Compliance Program gaps. Results are shared with governing body.

#6 Auditing and Monitoring

Best Practices

• Review OMIG’s, OIG’s, and CMS’s web sites for regulatory work plans and

alerts associated with specific areas of focus; assess organizational risk in those areas; and develop appropriate action plans to address the risk or weakness.

• Establish work plans with target dates for action and assignment of staff

responsibility to address compliance related issues and Compliance Program gap analysis.

#7 Response and Corrective Action

Best Practices

• Exit interviews with employees include an interview with the Compliance

Officer.

• Compliance Officer reaches out to former employees 30 days after former

employee’s separation date to inquire of any possible compliance matters

• bserved during employment.

#8 Policy of Non-Retaliation/Intimidation

Tool(s) to support this work

COMPLIANCE SURVEY TOOL

• Anonymous method to evaluate workforce understanding of Corporate

Compliance Program. Use Survey Monkey (web-based tool: www.surveymonkey.com)

• Survey can be customized to your organization and include specific areas of

focus.

• Consider outsourcing the survey.
• If all employees do not have email, consider paper survey with easy method of

return (e.g. drop box; stamped and addressed return envelope)

• Use same questions for subsequent surveys.

Compliance Survey Tool

1) What level of the organization is best represented by your job duties and responsibilities?

• Senior Management, Manager/Supervisor, Clinician, Direct Service Staff, Support/Clerical Staff, Other

2) How many years have you worked at the Agency?

• 0-1, 2-5, 6-10, 11-20, more than 20

3) Do you know how and where you can obtain a copy of the Agency’s Corporate Compliance Plan?

• Yes, No, Unsure

4) Have you been provided with a copy of or electronic access to the Agency’s Code of Conduct?

• Yes, No, Unsure

Survey Questions

5) Do you find the Agency’s Code of Conduct understandable?

• Yes, No, Unsure

6) Do you know what it means to have a conflict of interest as it relates to your employment with the Agency?

• Yes, No, Unsure

7) Do you know how to contact the Agency’s Compliance Officer?

• Yes, No, Unsure

8) What is the name of the Agency’s Compliance Officer? 9) Have you received compliance training since [date]?

• Yes, No, Unsure

Survey Questions

10)Were you provided with training information on Federal and State fraud and abuse laws, such as the False Claims Act, Anti-Kickback Statute, etc.?

• Yes, No, Unsure

11)Were you provided with training information related to your specific program or job responsibilities (e.g., billing and coding, consumer service documentation)?

• Yes, No, Unsure

12)In addition to compliance training, do you receive information from the Agency’s Compliance department regarding compliance issues or concerns on a periodic basis?

• Yes, No, Unsure

Survey Questions

13)Based on my experience, the importance of Compliance and Ethics is communicated adequately to all staff at the Agency.

• Strongly agree, agree, disagree, unsure

14)Have you been informed that each and every Agency employee is expected to report suspected violations of laws, regulations, and/or the Agency’s Code of Conduct?

• Yes, No, Unsure

15)Have you been informed that employees may report suspected wrongdoing anonymously or confidentially?

• Yes, No, Unsure

16)Are you aware that the Agency has a Compliance Hotline to anonymously report suspected or actual wrongdoing?

• Yes, No, Unsure

Survey Questions

17)Are you aware that the Agency has a policy that you will not be disciplined for making a “good faith” report about unethical activities or compliance concerns that you may have observed?

• Yes, No, Unsure

18)Based on your experience, are Agency disciplinary standards well‐publicized and readily available to all Agency staff?

• Yes, No, Unsure

19)Have you been informed that failure to abide by the Agency’s Code of Conduct, related policies, and/or legal requirements may result in disciplinary action?

• Yes, No, Unsure

Survey Questions

20)Based on your experience, are Agency employees held accountable when they violate compliance rules, regulations, policies/procedures, or the Agency’s Code of Conduct?

• Yes, No, Unsure

21)Are you aware of whether the Agency’s Compliance Officer, compliance staff, or quality assurance staff visited your program or site in the past 12 months to conduct a compliance related activity/audit or to investigate a compliance matter?

• Yes, No, Unsure

22)Based on your experience, do Agency Compliance personnel properly investigate potential violations of laws, regulations, policies/procedures, and/or the Agency’s Code of Conduct?

• Yes, No, Unsure

Survey Questions

23)Based on your experience, does Agency Senior Management follow applicable compliance standards and instructions regarding potential violations?

• Yes, No, Unsure

24)Do you know to whom you should report a compliance issue or concern?

• Yes, No, Unsure

25)Based on my experience, maintaining compliance and ethical standards is an integral part of the Agency’s organizational culture.

• Strongly agree, agree, disagree, unsure

26) If you did not understand certain questions in this survey please provide the question number(s) in the space provided. COMMENTS

Survey Questions

What Do I Do With Results?

• Quantify results- charts, graphs, summary
• Engage/involve multidisciplinary team (e.g. Compliance Committee) to assist in

analysis of results and identification of strategies and activities to improve results

• Create action/work plan with objectives, target dates and responsible parties

(Annual Compliance Work Plan)

• Communicate results (Board, management, all employees)
• Re-evaluate

Examples of Findings

• 1. What level of the organization is best represented by your job duties and

responsibilities?

Answer Options 2015 Response Percent 2015 Response Count 2016 Response Percent 2016 Response Count 2017 Response Percent 2017 Response Count Senior Management 17.3% 65 20.6% 86 19.65% 67 Manager/Supervisor 9.8% 37 7.2% 30 6.45% 22 Direct Service Staff 59.0% 222 65.9% 275 66.28% 226 Clinical 3.5% 13 1.4% 6 1.47% 5 Support/Clerical Staff 0.8% 3 2.2% 9 3.23% 11 Unsure 9.6% 36 2.6% 11 2.93% 10

Examples of Findings

• 3. Do you know how and where you can obtain a copy of the

Agency’sCorporateCompliancePlan?

Answer Options 2015 Response Percent 2015 Response Count 2016 Response Percent 2016 Response Count 2017 Response Percent 2017 Response Count Yes 77.7% 293 78.7% 328 89.74% 306 No 12.2% 46 8.4% 35 4.11% 14 Unsure 10.1% 38 12.9% 54 6.16% 21

Examples of Findings

• 16. Are you aware that the Agency has a Compliance Hotline to

anonymouslyreport suspectedor actual wrongdoing?

Answer Options 2015 Response Percent 2015 Response Count 2016 Response Percent 2016 Response Count 2017 Response Percent 2017 Response Count Yes 78.7% 296 81.3% 339 88.56% 302 No 9.3% 35 7.2% 30 4.40% 15 Unsure 12.0% 45 11.5% 48 7.04% 24

Agency Experience

CATHOLIC FAMILY CENTER

LINDSAY GOZZI-THEOBALD, MS, CFE, CHC CHIEF QUALITY & COMPLIANCE OFFICER, CHIEF PRIVACY OFFICER LGOZZI-THEOBALD@CFCROCHESTER.ORG

Major Messages

Question 2015 2016

Know Conflict of interest

100.0% 99.5%

Know not good to bill for services not done

100.0% 98.6%

Agree compliance & ethics are an intregal

90.0% 97.5%

part of culture. strongly agree

60.0% 66.8%

Awareness of not disciplining fot reporting

83.3% 91.3%

• f compliance or ethical issues

Agree importance of compliance & ethics

76.7% 94.1%

are communicated. strongly agree

20.0% 58.5%

Know who to report issue to

70.0% 90.2%

Know how to get a copy of compliance plan

63.3% 82.1%

Periodically receive additional info

60.0% 78.0%

Received compliance training

46.7% 84.4%

Know who compliance officer is

6.3% 69.1%

• Participation increased 590%.
• Score of every question improved or maintained high performance.

What do I do next?

Take-aways: How Can I Get Started?

• Complete the End of Semester 1/Midpoint evaluation
• Review previous webinar(s)
• If you have not done so, conduct a baseline assessment of your Corporate

Compliance Program using OMIG tool. Identify areas of needed improvement.

• Engage management and share results of Corporate Compliance Program
• assessment. Focus activities on insufficiencies and areas for improvement.

(e.g. training, communication, policy development and implementation, etc)

• Identify method to evaluate effectiveness. If survey will be used, establish

timing (e.g. after training, annually before certification, etc.).

• Determine how you will communicate and use results.
• Assess HIPAA Privacy and Security compliance (baseline and ongoing).
• Incorporate risk areas into Annual Compliance Work Plan

Mark your calendars and register

Webinars (12-1pm): Contracting & Negotiation, 8/28/18 In-person events (10am-2pm) Albany 9/11/18 Rochester 9/12/18 NYC 9/17/18

Send us any questions or feedback

Use the chat box

• r

email us at: pda@ccsi.org